Attachment #132531 for bug #176832

View | Details | Raw Unified | Return to bug 176832
Collapse All | Expand All




.It Fl rc
Restart an existing jail.
The jail is first removed and then re-created, as if
.Dq Nm Fl c
and
.Dq Nm Fl r
and
.Dq Nm Fl c
were run in succession.
.It Fl cm
Create a jail if it does not exist, or modify the jail if it does exist.

parameter (or
.Va hostname )
and add all IP addresses returned by the resolver
to the list of addresses for this jail.
This is equivalent to the
.Va ip_hostname
parameter.

file format, and need not be explicitly set when using the configuration
file.
.It Va path
The directory which is to be the root of the jail.
Any commands run inside the jail, either by
.Nm
or from
.Xr jexec 8 ,
are run from this directory.
.It Va ip4.addr
A list of IPv4 addresses assigned to the jail.
If this is set, the jail is restricted to using only these addresses.
Any attempts to use other addresses fail, and attempts to use wildcard
addresses silently use the jailed address instead.

assigned to itself.
.It Va ip4.saddrsel
A boolean option to change the formerly mentioned behaviour and disable
IPv4 source address selection for the jail in favour of the primary
IPv4 address of the jail.
Source address selection is enabled by default for all jails and the
.Va ip4.nosaddrsel

parameter implies a value of
.Dq new .
.It Va ip6.addr , Va ip6.saddrsel , Va ip6
A set of IPv6 options for the jail, the counterparts to
.Va ip4.addr ,
.Va ip4.saddrsel
and
.Va ip4
above.
.It vnet
Create the jail with its own virtual network stack,
with its own network interfaces, addresses, routing table, etc.
The kernel must have been compiled with the
.Sy VIMAGE option

.Dq new
to create a new network stack.
.It Va host.hostname
The hostname of the jail.
Other similar parameters are
.Va host.domainname ,
.Va host.hostuuid

within a jail would be able to communicate with (and potentially interfere
with) processes outside of the jail, and in other jails.
.It Va allow.raw_sockets
The jail root is allowed to create raw sockets.
Setting this parameter allows utilities like
.Xr ping 8
and
.Xr traceroute 8
to operate inside the jail.
If this is set, the source IP addresses are enforced to comply
with the IP address bound to the jail, regardless of whether or not
the

for information on how to configure the ZFS filesystem to operate from
within a jail.
.It Va allow.quotas
The jail root may administer quotas on the jail's filesystem(s).
This includes filesystems that the jail may share with other jails or
with non-jailed parts of the system.
.It Va allow.socket_af

There are pseudo-parameters that aren't passed to the kernel, but are
used by
.Nm
to set up the jail environment, often by running specified commands
when jails are created or removed.
The
.Va exec.*
command parameters are
.Xr sh 1
command lines that are run in either the system or jail environment.
They may be given multiple values, which run would the specified
commands in sequence.
All commands must succeed (return a zero exit status), or the jail will

The pseudo-parameters are:
.Bl -tag -width indent
.It Va exec.prestart
Command(s) to run in the system environment before a jail is created.
.It Va exec.start
Command(s) to run in the jail environment when a jail is created.
A typical command to run is
.Dq sh /etc/rc .
.It Va command
A synonym for
.Va exec.start
for use when specifying a jail directly on the command line.
Unlike other parameters whose value is a single string,
.Va command
uses the remainder of the

.It Va exec.prestop
Command(s) to run in the system environment before a jail is removed.
.It Va exec.stop
Command(s) to run in the jail environment before a jail is removed,
and after any
.Va exec.prestop
commands have completed.

The environment variables from the login class capability database for the
target login are also set.
.It Va exec.jail_user
The user to run commands as, when running in the jail environment.
The default is to run the commands as the current user.
.It Va exec.system_jail_user
This boolean option looks for the
.Va exec.jail_user
in the system
.Xr passwd 5
file, instead of in the jail's file.
.It Va exec.system_user
The user to run commands as, when running in the system environment.
The default is to run the commands as the current user.

.It Va exec.consolelog
A file to direct command output (stdout and stderr) to.
.It Va exec.fib
The FIB (routing table) to set when running commands inside the jail.
.It Va stop.timeout
The maximum amount of time to wait for a jail's processes to exit
after sending them a
.Dv SIGTERM
signal (which happens after the
.Va exec.stop
commands have completed).
After this many seconds have passed, the jail will be removed, which
will kill any remaining processes.
If this is set to zero, no
.Dv SIGTERM
is sent and the jail is immediately removed.
The default is 10 seconds.
.It Va interface
A network interface to add the jail's IP addresses
.Va ( ip4.addr
and
.Va ip6.addr )
to.
An alias for each address will be added to the interface before the
jail is created, and will be removed from the interface after the
jail is removed.
.It Op Va ip4.addr
In addition to the IP addresses that are passed to the kernel, and
interface and/or a netmask may also be specified, in the form

.Va ( ip4.addr
or
.Va ip6.addr )
for this jail.
This may affect default address selection for outgoing IPv4 connections
of jails.
The address first returned by the resolver for each address family
will be used as primary address.
.It Va mount

filesystem on the chrooted /dev directory, and apply the ruleset in the
.Va devfs_ruleset
parameter (or a default of ruleset 4: devfsrules_jail)
to restrict the devices visible inside the jail.
.It Va allow.dying
Allow making changes to a
.Va dying

.Pp
The variable
.Va security.jail.max_af_ips
determines how may address per address family a jail may have.
The default is 255.
.Pp
Some MIB variables have per-jail settings.

Return to bug 176832

Lines 102-110 Link Here

(-)jail.8 (-32 / +32 lines)
102	.It Fl rc	102	.It Fl rc
103	Restart an existing jail.	103	Restart an existing jail.
104	The jail is first removed and then re-created, as if	104	The jail is first removed and then re-created, as if
105	.Dq Nm Fl c
106	and
107	.Dq Nm Fl r	105	.Dq Nm Fl r
		106	and
		107	.Dq Nm Fl c
108	were run in succession.	108	were run in succession.
109	.It Fl cm	109	.It Fl cm
110	Create a jail if it does not exist, or modify the jail if it does exist.	110	Create a jail if it does not exist, or modify the jail if it does exist.
Lines 134-140 Link Here
134	parameter (or	134	parameter (or
135	.Va hostname )	135	.Va hostname )
136	and add all IP addresses returned by the resolver	136	and add all IP addresses returned by the resolver
137	to the list of addresses for this prison.	137	to the list of addresses for this jail.
138	This is equivalent to the	138	This is equivalent to the
139	.Va ip_hostname	139	.Va ip_hostname
140	parameter.	140	parameter.
Lines 314-327 Link Here
314	file format, and need not be explicitly set when using the configuration	314	file format, and need not be explicitly set when using the configuration
315	file.	315	file.
316	.It Va path	316	.It Va path
317	The directory which is to be the root of the prison.	317	The directory which is to be the root of the jail.
318	Any commands run inside the prison, either by	318	Any commands run inside the jail, either by
319	.Nm	319	.Nm
320	or from	320	or from
321	.Xr jexec 8 ,	321	.Xr jexec 8 ,
322	are run from this directory.	322	are run from this directory.
323	.It Va ip4.addr	323	.It Va ip4.addr
324	A list of IPv4 addresses assigned to the prison.	324	A list of IPv4 addresses assigned to the jail.
325	If this is set, the jail is restricted to using only these addresses.	325	If this is set, the jail is restricted to using only these addresses.
326	Any attempts to use other addresses fail, and attempts to use wildcard	326	Any attempts to use other addresses fail, and attempts to use wildcard
327	addresses silently use the jailed address instead.	327	addresses silently use the jailed address instead.
Lines 333-339 Link Here
333	assigned to itself.	333	assigned to itself.
334	.It Va ip4.saddrsel	334	.It Va ip4.saddrsel
335	A boolean option to change the formerly mentioned behaviour and disable	335	A boolean option to change the formerly mentioned behaviour and disable
336	IPv4 source address selection for the prison in favour of the primary	336	IPv4 source address selection for the jail in favour of the primary
337	IPv4 address of the jail.	337	IPv4 address of the jail.
338	Source address selection is enabled by default for all jails and the	338	Source address selection is enabled by default for all jails and the
339	.Va ip4.nosaddrsel	339	.Va ip4.nosaddrsel
Lines 354-367 Link Here
354	parameter implies a value of	354	parameter implies a value of
355	.Dq new .	355	.Dq new .
356	.It Va ip6.addr , Va ip6.saddrsel , Va ip6	356	.It Va ip6.addr , Va ip6.saddrsel , Va ip6
357	A set of IPv6 options for the prison, the counterparts to	357	A set of IPv6 options for the jail, the counterparts to
358	.Va ip4.addr ,	358	.Va ip4.addr ,
359	.Va ip4.saddrsel	359	.Va ip4.saddrsel
360	and	360	and
361	.Va ip4	361	.Va ip4
362	above.	362	above.
363	.It vnet	363	.It vnet
364	Create the prison with its own virtual network stack,	364	Create the jail with its own virtual network stack,
365	with its own network interfaces, addresses, routing table, etc.	365	with its own network interfaces, addresses, routing table, etc.
366	The kernel must have been compiled with the	366	The kernel must have been compiled with the
367	.Sy VIMAGE option	367	.Sy VIMAGE option
Lines 373-379 Link Here
373	.Dq new	373	.Dq new
374	to create a new network stack.	374	to create a new network stack.
375	.It Va host.hostname	375	.It Va host.hostname
376	The hostname of the prison.	376	The hostname of the jail.
377	Other similar parameters are	377	Other similar parameters are
378	.Va host.domainname ,	378	.Va host.domainname ,
379	.Va host.hostuuid	379	.Va host.hostuuid
Lines 488-499 Link Here
488	within a jail would be able to communicate with (and potentially interfere	488	within a jail would be able to communicate with (and potentially interfere
489	with) processes outside of the jail, and in other jails.	489	with) processes outside of the jail, and in other jails.
490	.It Va allow.raw_sockets	490	.It Va allow.raw_sockets
491	The prison root is allowed to create raw sockets.	491	The jail root is allowed to create raw sockets.
492	Setting this parameter allows utilities like	492	Setting this parameter allows utilities like
493	.Xr ping 8	493	.Xr ping 8
494	and	494	and
495	.Xr traceroute 8	495	.Xr traceroute 8
496	to operate inside the prison.	496	to operate inside the jail.
497	If this is set, the source IP addresses are enforced to comply	497	If this is set, the source IP addresses are enforced to comply
498	with the IP address bound to the jail, regardless of whether or not	498	with the IP address bound to the jail, regardless of whether or not
499	the	499	the
Lines 558-564 Link Here
558	for information on how to configure the ZFS filesystem to operate from	558	for information on how to configure the ZFS filesystem to operate from
559	within a jail.	559	within a jail.
560	.It Va allow.quotas	560	.It Va allow.quotas
561	The prison root may administer quotas on the jail's filesystem(s).	561	The jail root may administer quotas on the jail's filesystem(s).
562	This includes filesystems that the jail may share with other jails or	562	This includes filesystems that the jail may share with other jails or
563	with non-jailed parts of the system.	563	with non-jailed parts of the system.
564	.It Va allow.socket_af	564	.It Va allow.socket_af
Lines 571-583 Link Here
571	There are pseudo-parameters that aren't passed to the kernel, but are	571	There are pseudo-parameters that aren't passed to the kernel, but are
572	used by	572	used by
573	.Nm	573	.Nm
574	to set up the prison environment, often by running specified commands	574	to set up the jail environment, often by running specified commands
575	when jails are created or removed.	575	when jails are created or removed.
576	The	576	The
577	.Va exec.*	577	.Va exec.*
578	command parameters are	578	command parameters are
579	.Xr sh 1	579	.Xr sh 1
580	command lines that are run in either the system or prison environment.	580	command lines that are run in either the system or jail environment.
581	They may be given multiple values, which run would the specified	581	They may be given multiple values, which run would the specified
582	commands in sequence.	582	commands in sequence.
583	All commands must succeed (return a zero exit status), or the jail will	583	All commands must succeed (return a zero exit status), or the jail will
Lines 586-600 Link Here
586	The pseudo-parameters are:	586	The pseudo-parameters are:
587	.Bl -tag -width indent	587	.Bl -tag -width indent
588	.It Va exec.prestart	588	.It Va exec.prestart
589	Command(s) to run in the system environment before a prison is created.	589	Command(s) to run in the system environment before a jail is created.
590	.It Va exec.start	590	.It Va exec.start
591	Command(s) to run in the prison environment when a jail is created.	591	Command(s) to run in the jail environment when a jail is created.
592	A typical command to run is	592	A typical command to run is
593	.Dq sh /etc/rc .	593	.Dq sh /etc/rc .
594	.It Va command	594	.It Va command
595	A synonym for	595	A synonym for
596	.Va exec.start	596	.Va exec.start
597	for use when specifying a prison directly on the command line.	597	for use when specifying a jail directly on the command line.
598	Unlike other parameters whose value is a single string,	598	Unlike other parameters whose value is a single string,
599	.Va command	599	.Va command
600	uses the remainder of the	600	uses the remainder of the
Lines 608-614 Link Here
608	.It Va exec.prestop	608	.It Va exec.prestop
609	Command(s) to run in the system environment before a jail is removed.	609	Command(s) to run in the system environment before a jail is removed.
610	.It Va exec.stop	610	.It Va exec.stop
611	Command(s) to run in the prison environment before a jail is removed,	611	Command(s) to run in the jail environment before a jail is removed,
612	and after any	612	and after any
613	.Va exec.prestop	613	.Va exec.prestop
614	commands have completed.	614	commands have completed.
Lines 633-646 Link Here
633	The environment variables from the login class capability database for the	633	The environment variables from the login class capability database for the
634	target login are also set.	634	target login are also set.
635	.It Va exec.jail_user	635	.It Va exec.jail_user
636	The user to run commands as, when running in the prison environment.	636	The user to run commands as, when running in the jail environment.
637	The default is to run the commands as the current user.	637	The default is to run the commands as the current user.
638	.It Va exec.system_jail_user	638	.It Va exec.system_jail_user
639	This boolean option looks for the	639	This boolean option looks for the
640	.Va exec.jail_user	640	.Va exec.jail_user
641	in the system	641	in the system
642	.Xr passwd 5	642	.Xr passwd 5
643	file, instead of in the prison's file.	643	file, instead of in the jail's file.
644	.It Va exec.system_user	644	.It Va exec.system_user
645	The user to run commands as, when running in the system environment.	645	The user to run commands as, when running in the system environment.
646	The default is to run the commands as the current user.	646	The default is to run the commands as the current user.
Lines 651-679 Link Here
651	.It Va exec.consolelog	651	.It Va exec.consolelog
652	A file to direct command output (stdout and stderr) to.	652	A file to direct command output (stdout and stderr) to.
653	.It Va exec.fib	653	.It Va exec.fib
654	The FIB (routing table) to set when running commands inside the prison.	654	The FIB (routing table) to set when running commands inside the jail.
655	.It Va stop.timeout	655	.It Va stop.timeout
656	The maximum amount of time to wait for a prison's processes to exit	656	The maximum amount of time to wait for a jail's processes to exit
657	after sending them a	657	after sending them a
658	.Dv SIGTERM	658	.Dv SIGTERM
659	signal (which happens after the	659	signal (which happens after the
660	.Va exec.stop	660	.Va exec.stop
661	commands have completed).	661	commands have completed).
662	After this many seconds have passed, the prison will be removed, which	662	After this many seconds have passed, the jail will be removed, which
663	will kill any remaining processes.	663	will kill any remaining processes.
664	If this is set to zero, no	664	If this is set to zero, no
665	.Dv SIGTERM	665	.Dv SIGTERM
666	is sent and the prison is immediately removed.	666	is sent and the jail is immediately removed.
667	The default is 10 seconds.	667	The default is 10 seconds.
668	.It Va interface	668	.It Va interface
669	A network interface to add the prison's IP addresses	669	A network interface to add the jail's IP addresses
670	.Va ( ip4.addr	670	.Va ( ip4.addr
671	and	671	and
672	.Va ip6.addr )	672	.Va ip6.addr )
673	to.	673	to.
674	An alias for each address will be added to the interface before the	674	An alias for each address will be added to the interface before the
675	prison is created, and will be removed from the interface after the	675	jail is created, and will be removed from the interface after the
676	prison is removed.	676	jail is removed.
677	.It Op Va ip4.addr	677	.It Op Va ip4.addr
678	In addition to the IP addresses that are passed to the kernel, and	678	In addition to the IP addresses that are passed to the kernel, and
679	interface and/or a netmask may also be specified, in the form	679	interface and/or a netmask may also be specified, in the form
Lines 698-706 Link Here
698	.Va ( ip4.addr	698	.Va ( ip4.addr
699	or	699	or
700	.Va ip6.addr )	700	.Va ip6.addr )
701	for this prison.	701	for this jail.
702	This may affect default address selection for outgoing IPv4 connections	702	This may affect default address selection for outgoing IPv4 connections
703	of prisons.	703	of jails.
704	The address first returned by the resolver for each address family	704	The address first returned by the resolver for each address family
705	will be used as primary address.	705	will be used as primary address.
706	.It Va mount	706	.It Va mount
Lines 718-724 Link Here
718	filesystem on the chrooted /dev directory, and apply the ruleset in the	718	filesystem on the chrooted /dev directory, and apply the ruleset in the
719	.Va devfs_ruleset	719	.Va devfs_ruleset
720	parameter (or a default of ruleset 4: devfsrules_jail)	720	parameter (or a default of ruleset 4: devfsrules_jail)
721	to restrict the devices visible inside the prison.	721	to restrict the devices visible inside the jail.
722	.It Va allow.dying	722	.It Va allow.dying
723	Allow making changes to a	723	Allow making changes to a
724	.Va dying	724	.Va dying
Lines 1081-1087 Link Here
1081	.Pp	1081	.Pp
1082	The variable	1082	The variable
1083	.Va security.jail.max_af_ips	1083	.Va security.jail.max_af_ips
1084	determines how may address per address family a prison may have.	1084	determines how may address per address family a jail may have.
1085	The default is 255.	1085	The default is 255.
1086	.Pp	1086	.Pp
1087	Some MIB variables have per-jail settings.	1087	Some MIB variables have per-jail settings.